You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

"salespitch" Malware - How Do I Remove?

My problem can best be described as malware, even though it hasn't damaged my pc. There is a program running somewhere in the background that keeps making messages appear constantly saying that my pc is infected and I should click the given link to purchase software. Some of these messages are cleverly disguised as Windows Error/warning messages. This program seems to be hidden from my Processes List under Task Manager. Every now and then, I would also get popups that exaggerate that "MY PC IS INFECTED!" I even ended up with a hijacked browser on Internet Explorer (also linking me to places where I can purchase software--but I was able to remove that). Still, the auto-"Virus Alert!" keeps coming up at regular intervals (usually every few minutes). Here's my hijack this! log. I hope I did this right:

Not sure what alert exactly you are getting, but I guess it asks you to download Spyfalcon.

I see Viewpoint installed..Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

Viewpoint

Viewpoint Manager

Viewpoint Media Player

Please disable SpySweeper's real-time protection, so it will not interfere with the fix:

Open SpySweeper and click Options | Program Options. Uncheck Load at windows startup. Over to the left click Shields. Uncheck Home page shield and Automatically restore default without notifiction.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

Download it to your desktop.Doubleclick roguescanfix.exeClick the 'install' button.This will create a new folder on your desktop called Roguescanfix.Open that folder and doubleclick: Run.bat

Note: This tool needs internet connection because it downloads an additional file to let the tool work properly.If your firewall gives an alert, allow it instead of blocking it.In case you still get the message BFU.exe is not present, download BFU.zip from here.Unzip it and place BFU.exe in the Roguescanfix-folder. Then doubleclick Run.bat again.

The tool will uninstall some programs and delete related files and registrykeys.When some files won't get deleted, it will ask you to reboot your system to delete the files after reboot.Please make sure the uninstall of the programs are finished before you click Yes to reboot.

Post a new hijackthislog in your next reply and let me know if that alert is gone now.

Okay, I tried all the things above. It didn't work. I'll be more specific and post the new log.

SpyFalcon was one of the things that ended up on my PC, but I was able to easily remove it with Add/Remove Programs (it kept popping up and pretending to scan my pc and made outrageous claims like I had 1,500 infections on my computer and I need to download this software fast!!)

I already had Viewpoint on my PC. I intentionally downloaded it months ago. However, the article you showed me plus the fact I never use it anymore was a good enough reason for me to get rid of it anyway, so I followed that first step. However, I feel I should mention that I only found "Viewpoint Manager" and "Viewpoint Media Player" in the Add/Remove Programs list. I didn't see a "Viewpoint".

I tried to check off all items on the hijackthis list above that you posted, but I did not find the following:

I checked and fixed the others anyway. I followed all other instructions, no problem.

Maybe you've seen this before: the thing I can't get to go away is an icon in the bottom tray of my Desktop. It's a green handicap symbol (the stick-figure in the wheel chair--it's used to represent the ADA) followed my a red circle with a line through it. By that, I mean the handicap symbol and red circle blink in alteration. Have you ever seen a program with a symbol like that? At what appears to be a fixed interval, it brings up a message saying that my pc is infected and I need to get some software to get rid of the infection. It gets pretty annoying.

Maybe you've seen this before: the thing I can't get to go away is an icon in the bottom tray of my Desktop. It's a green handicap symbol (the stick-figure in the wheel chair--it's used to represent the ADA) followed my a red circle with a line through it. By that, I mean the handicap symbol and red circle blink in alteration. Have you ever seen a program with a symbol like that? At what appears to be a fixed interval, it brings up a message saying that my pc is infected and I need to get some software to get rid of the infection. It gets pretty annoying.

Yes, this issue is very common nowadays. It's a false alert, trying to make you use and buy one of these so called antispywarescanners they provide.These scanners have a bad reputation.

* Reboot into Safe Mode`: ( without networking support !)°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Clean your Cache and Cookies in IE:

Close all instances of Outlook Express and Internet Explorer

Go to Control Panel > Internet Options > General tab

Click the "Delete Cookies" button

Next to it, Click the "Delete Files" button

When prompted, place a check in: "Delete all offline content", click OK

* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

Go to Tools > Options.

Click Privacy in the menu on the left side of the Options window.

Click the Clear button located to the right of each option (History, Cookies, Cache).

Click OK to close the Options window
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.

* Clean other Temporary files + Recycle bin

Go to start > run and type: cleanmgr and click ok.

Let it scan your system for files to remove.

Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.A text file will appear onscreen, with results from the cleaning process; I need that log afterwards.The report can also be found at the root of the system drive, usually at C:\rapport.txt

* Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)Panda Online- Once you are on the Panda site click the Scan your PC button- A new window will open...click the Check Now button- Enter your Country- Enter your State/Province- Enter your e-mail address and click send- Select either Home User or Company- Click the big Scan Now button- If it wants to install an ActiveX component allow it- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)- When download is complete, click on Local Disks to start the scan- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.Post the contents of the Panda scan report in your next reply along with a new HijackThis Log, the contents of rapport.txt which is present on your Homedrive (C:\ in most cases) by using Add Reply.

The weird "fake warning" problem is gone. I don't see the stupid message anymore. It seemed to have gone away just after using Smitfraudfix. However, I still carried out the remaining steps, just to play it safe.

Please hide your hidden files and folders afterwards again, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.

Hi, It looks like I forgot one you have to delete.. so delete next folder:

C:\Program Files\Common Files\blmcendq

The files you deleted were the ones that were flagged by Panda as malware but not deleted. Panda only deleted a few, but not all, so that's why I asked you to delete them manually.

To keep this clean in the future, I would suggest the following things:

Install SpywareblasterSpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

* Avoid illegal sites, because that's where most malware is present.* Don't click on links inside popups.* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.Also make sure that your virusscanner, the one that is installed on your system is always up to date!